Digital Pi provides consulting services to help our clients optimize their Marketing Automation systems. In order to provide that service, we almost always need access to our client’s internal applications. Therefore, our clients are entrusting us with access to their system and to their data and seeking assurances that we are protecting both.
Security is Critical
After years in the business, we know that you are only as secure as your weakest link. And the weakest link is almost always a person. People are not doing intentionally “bad” things, but people are just unaware. So the baseline is that you need to have some form of security awareness at your company, and you can start out with some basic things like passwords and email restrictions but when you’re company is handling client information – it’s imperative to take things further.
What is a SOC2 “Attestation”?
Service and Organisation Controls (SOC 2) is a set of standards from the American Institute of Certified Public Accountants (“AICPA”) that outline recommended policies and controls needed to support security. While many of the controls are focused on data security, there are also controls in place to ensure that effective management and oversight are in place that are also critical to security. These include controls around employee background checks, employee training, continual risk management practices, incident response plans, third party vendor screening.
The goal is that that when someone says, “do you have good security?” You have evidence and proof that you have been doing the right things instead of saying you have security policies in place.
Essentially it’s a set of industry best practices established by an organization designated to put security controls in place. It’s not only focused on data security and technology, but it’s also focused on operational procedures that should be in place so your company is a well-run company that takes security seriously. A company that reviews risks, has training procedures in place, and has an appropriate screening of employees all done in a rigorous way.
The SOC2 Situation – How do You get it?
When undergoing a SOC2 evaluation, a CPA firm evaluates a company’s policies and controls to make sure that they are well designed and are actually in place at a point in time. This results in a SOC2 Type1 Attestation.
In our case, it took longer than we thought. Fortunately, we had already taken security very seriously and we had procedures in place, but what we didn’t necessarily have is the rigorous proof of all these things that we should be doing, that we were doing them consistently, on set schedules.
It’s not just making sure you are doing virus scanning or that you have encryption turned on – it’s making sure that you are reviewing risks continually and that the security policy in place is a living document constantly updated as new issues are uncovered. We have to update the policy and make sure that all of our employees are aware of it and trained on it. So, it’s nothing if not a continual process.
For us at Digital Pi, many of our customers are themselves SOC two compliant. And, as part of that, they have the responsibility of vetting every vendor. So they need to do their due diligence on us before we have access to their systems. So all of the controls that they have internally were kind of being put to us to see how we comply with that.
Now, having SOC two compliance actually streamlines that process a lot better resulting in a deeper level of trust with our clients.
SOC2 is not the Security Finish Line
The next step will be to undergo a Type 2 evaluation, which is earned when an auditor confirms you have been operating under those controls over a period of time.